CVE-2024-30261

Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect

Severity Score

2.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

Undici es un cliente HTTP/1.1, escrito desde cero para Node.js. Un atacante puede alterar la opción `integridad` pasada a `fetch()`, permitiendo que `fetch()` acepte solicitudes como válidas incluso si han sido manipuladas. Esta vulnerabilidad fue parcheada en las versiones 5.28.4 y 6.11.1.

A flaw was found in the nodejs-undici package. This issue may allow an attacker to alter the integrity option passed to fetch(), allowing fetch() to accept requests as valid even if they have been tampered with.

*Credits: N/A

CVSS Scores

GitHubv3.1 2.6

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-26 CVE Reserved
2024-04-04 CVE Published
2024-04-12 EPSS Updated
2024-09-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-284: Improper Access Control

CAPEC

References (9)

URL	Tag	Source
https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055	X_refsource_misc
https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3	X_refsource_misc
https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672	X_refsource_confirm
https://hackerone.com/reports/2377760	X_refsource_misc
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-30261	2024-09-12
https://bugzilla.redhat.com/show_bug.cgi?id=2273519	2024-09-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nodejs Search vendor "Nodejs"		Undici Search vendor "Nodejs" for product "Undici"				>= 6.0.0 < 6.11.1 Search vendor "Nodejs" for product "Undici" and version " >= 6.0.0 < 6.11.1"		en		Affected
Nodejs Search vendor "Nodejs"		Undici Search vendor "Nodejs" for product "Undici"				< 5.28.4 Search vendor "Nodejs" for product "Undici" and version " < 5.28.4"		en		Affected